Owning the Wireless Camera (and Its User)

In the second part of his series on camera security, security expert Seth Fogie examines the web interface of the AXIS 207W network camera to see what, if any, vulnerabilities might be lurking within the camera itself.

(b)Owning the Camera (and its user) - Title Page

In Part One of
this series, we examined the issues related to using a wireless camera for
surveillance. In short, we found that you can knock the camera offline several
ways, sniff the images being passed over the airwaves if the network is
unencrypted, and spoof the web interface of the camera using a man-in-the-middle
attack.

While these issues are all serious, it was during this research that we
started to examine the web interface of our AXIS 207W network camera to see
what, if any, vulnerabilities might be lurking within the camera itself. The
following details the results of our security review of this camera.

The AXIS 207W

AXIS has long been in the IP camera field and has numerous offerings. One of
these is the AXIS 207W, a wireless IP camera you can set up anywhere there is a
wireless network. The website states the following about the camera:

This entry-level network camera is ideal for securing small businesses, home
offices and residences over a local area network or the Internet. The built-in
microphone enables remote users to not only view, but also listen in on an area
and increase the monitoring options.

One of the key features of the camera is that it is built on BusyBox, a popular flavor of Linux found in embedded devices. As a
result, the camera contains a Bourne shell-compatible script interpreter
program, which means the 207W can be programmed to do many things that are
normally outside the scope of an IP camera. For example, people have set up the
camera to upload pictures to remote servers if an alarm event is triggered.
However, giving the user such power also means a successful attacker can have
such power and then leverage the camera against the network, as you will see
later in this article.

NOTE

It is important to note that many of the following issues exist on any
network device that is accessible via a web interface. While this article
focuses on the AXIS 207W, Linux-based embedded devices are very common. What
makes the camera a nice target is that a user must be connected to the camera to
see anything, where as the typical printer's web interface will rarely see
any activity. As a result, it is much more likely that web application
vulnerabilities on the camera will be easier to exploit.